Security researchers have discovered a vulnerability in iOS apps, one that could allow hackers to force the apps to send and receive data from the hackers’ own servers rather than the legitimate ones they were coded to connect to, BITS reported on Tuesday.
Researchers from Israel-based Skycure made discovery in a way similar to other huge ones — by accident (think penicillin). They first noticed that their own application was redirecting to an incorrect address, then discovered that they could force many other apps to exhibit the same behavior, through what Skycure calls HTTP request hijacking (HRH).
They estimate that at least 10,000 iOS apps in the App Store are vulnerable to the hack.
The hack leverages something known as the 301 Moved Permanently status code. Websites use this to redirect surfers to the correct page when an address has changed. When this happens, browsers — and apps — cache the redirection instruction. While that redirection is readily viewable in a browser, it’s not when you are using an app.
When one thinks about that sort of scenario, it also becomes pretty obvious how hackers could execute this scenario. It requires some sort of unsecured network to execute this, though, although considering the number of open WiFi networks that can be found at coffee shops and other locations, the danger exists.
A hacker first performs a man-in-the-middle attack: When the end user opens a vulnerable app, the attacker intercepts the HTTP connection requested and provides a fraudulent 301 status response, which then causes the app to cache a malicious update. The next time the app needs to visit that URL, it will hit the fraudulent site, instead.
Yair Amit, CTO and co-founder of Skycure, wrote the following in an e-mail.
Since Apple does not approve automatic download and scanning of iOS applications, we decided to do manual tests of a bunch of high-profile applications. Due to the fact [that] almost half of them were susceptible to HRH, we estimate that the number of vulnerable apps is very large, probably tens of thousands.
There are limitations to the attack:
- The attacker needs to be physically near the victim for the initial poisoning (the next steps of an attack are geolocation-agnostic).
- The attack works only against HTTP traffic.
Admittedly, even 2) above could be circumvented if social engineering is used and a victim installs a malicious profile that includes fraudulent digital certificates.
Although the report focuses on iOS, Android and Windows Phone aren’t necessarily free from this vulnerability. As you might expect if you understand the hack, even at just a high level, they could be just as vulnerable, and Skycure admits that.
The lack of information on Android and Windows Phone is simply because Skycure did not take the time — despite the fact that their website says they work on both iOS and Android — to try the other platforms.